Squash

Author: fkirc

.gitattributes

@@ -0,0 +1,3 @@
+# Do not change line endings
+* text=false
+

.gitignore

@@ -0,0 +1,16 @@
+
+*.o
+*.so
+*.a
+*.bin
+.idea/
+cmake-build-debug/
+CMakeFiles/
+.idea/
+cmake_install.cmake
+CMakeCache.txt
+Makefile
+*.cbp
+
+*.sealed_macsec_keypair
+*.report

README.md

@@ -0,0 +1,67 @@
+Trusted Network Interface
+
+_________________________________________________________________________
+**Build Setup (Simulation Mode):**
+
+This has been tested with Ubuntu 18.04.    
+Please refer to the official Intel instructions if anything fails.
+
+Install the packages:    
+`make cmake git g++ cppcheck`    
+`ocaml ocamlbuild automake autoconf libtool wget python libssl-dev`    
+    
+Download, build and install the linux-sgx sdk:    
+`git clone https://github.com/intel/linux-sgx.git`    
+`cd linux-sgx`    
+`./download_prebuilt.sh`    
+`make sdk`    
+`cd linux/installer/bin`    
+`./build-installpkg.sh sdk`    
+`./sgx_linux_x64_sdk_XXX.bin # install in "~" when asked`
+    
+Build and run the tests:
+
+`./run_tests_locally.sh SIM`
+
+_________________________________________________________________________
+**Build Setup (Hardware Mode):**
+
+Please complete the simulation mode instructions before setting up the hardware mode.
+Hardware mode works only on SGX-supported platforms.
+
+Configure your system to `SGX enabled`. You might need to enable SGX within your BIOS settings.
+
+Build and install the SGX Driver according to the instructions in
+`https://github.com/intel/linux-sgx-driver`.    
+Afterwards, check whether the SGX Driver is running:
+`lsmod | grep isgx`
+
+Install the packages:    
+`libprotobuf-dev protobuf-compiler libcurl4-openssl-dev`
+
+Build and install the SGX Platform Service:   
+`cd linux-sgx`   
+`make`   
+`cd linux/installer/bin`   
+`./build-installpkg.sh psw`   
+`sudo ./sgx_linux_x64_psw_XXX.bin`   
+
+Build and run the tests:
+
+`git clean -xfd # cleanup for a fresh build`    
+`./run_tests_locally.sh HW`    
+
+
+_________________________________________________________________________
+**Future work:**
+Implementing those protocol validations in C is a bad idea with respect to security.
+The choice of C was only made for the sake of a quick implementation.
+I strongly recommend that future TEE implementations use a secure language from the beginning (e.g. Rust, Go, Java).
+
+
+_________________________________________________________________________
+**Limitations of SGX:**
+SGX cannot directly access any external hardware.
+Therefore, it is necessary to establish a cryptographic channel to securely communicate between an SGX enclave and external hardware.
+In this work, we used a "MACSec gateway" for this cryptographic channel.
+Other TEEs can be configured to avoid this issue altogether (e.g. ARM TrustZone).

build.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -e # abort if anything fails
+set -x # print commands
+
+if [[ $EUID -eq 0 ]]; then
+   echo "We do not recommend to build as root" 1>&2
+   exit -1
+fi
+
+if [ -z "$SGX_MODE" ]; then
+    echo "SGX_MODE must be set to SIM or HW"
+    exit -1
+fi
+
+# Build the remote end stuff
+REMOTE_DIR=remote_end
+( cd ${REMOTE_DIR} && cmake . && make )
+
+# Build the test app, test enclave and the libraries
+TEST_APP_DIR=tests
+( cd ${TEST_APP_DIR} && cmake . && make )

common/key_file_definitions.h

@@ -0,0 +1,27 @@
+#pragma once
+
+// Definition of our macsec key pair file format used for installing and sealing macsec key pairs
+
+// The macsec key pair file format is specified as follows: key_file_header || ENCLAVE_TX_KEY || ENCLAVE_RX_KEY
+// The size of a macsec key pair file must be (sizeof(key_file_header) + 16 + 16)
+
+static const char key_file_header[] = "macsec_keypair_2*128bit"; // the terminating null byte is also included in the key file
+#define KEY_FILE_SIZE (2 * MACSEC_KEY_SIZE + sizeof(key_file_header))
+
+#define ERROR_INVALID_KEY_FILE_SIZE (-2)
+#define ERROR_INVALID_KEY_FILE_HEADER (-3)
+#define ERROR_SEALING_OPERATION_FAILED (-3)
+#define ERROR_UNSEALING_OPERATION_FAILED (-4)
+#define ERROR_INVALID_SEALED_KEY_FILE_SIZE (-5)
+#define ERROR_KEYPAIR_NOT_DIFFERENT (-6)
+
+#define MACSEC_OVERHEAD 32 // overhead per packet: 16 bytes sectag + 16 bytes icv, may need to be changed for new cipher suites
+#define MACSEC_KEY_SIZE 16
+
+#define MAX_PACK_SIZE 10000 // should not be too large, since this is used as local buffer on the stack
+
+#define MAC_HEADER_LEN 12 // dest mac || source mac
+#define MIN_PACKET_LEN (MAC_HEADER_LEN + 2) // dest mac || source mac || ether type
+#define MIN_MACSEC_LEN (MIN_PACKET_LEN + MACSEC_OVERHEAD)
+
+#define ETHER_TYPE_MACSEC 0xE588

common/logging.h

@@ -0,0 +1,10 @@
+#pragma once
+
+#include <string.h>
+#include <stdio.h>
+
+#define __FILENAME__ (strrchr(__FILE__, '/') ? strrchr(__FILE__, '/') + 1 : __FILE__)
+
+#define TEST_LOG(...) printf("%s: ", __FILENAME__); printf(__VA_ARGS__)
+
+#define DEBUG_LOG(...) TEST_LOG(__VA_ARGS__)

common/netutils.c

@@ -0,0 +1,57 @@
+#include "netutils.h"
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <net/if.h>
+#include <sys/ioctl.h>
+#include <fcntl.h>
+#include <arpa/inet.h>
+#include <linux/if_packet.h>
+#include <net/ethernet.h>
+#include <stdlib.h>
+#include <errno.h>
+
+static int interface_exists(const char* iface) {
+    return if_nametoindex(iface);
+}
+
+int open_raw_socket(const char *iface) {
+
+    if (!interface_exists(iface)) {
+        DEBUG_LOG("The interface %s does not exist! Available interfaces:\n", iface);
+        run_cmd("ip link");
+        return -1;
+    }
+
+    int raw_fd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
+    if (raw_fd == -1) {
+        perror("socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL))");
+        return -1;
+    }
+
+    struct sockaddr_ll socket_address = {0};
+    socket_address.sll_family = PF_PACKET;
+    socket_address.sll_ifindex = if_nametoindex(iface);
+    socket_address.sll_protocol = htons(ETH_P_ALL);
+
+    int ret = bind(raw_fd, (struct sockaddr *) &socket_address, sizeof(socket_address));
+    if (ret) {
+        perror("bind()");
+        return -1;
+    }
+
+    return raw_fd;
+}
+
+
+int get_mac_address(const char* iface, const int raw_fd, char* mac) {
+
+    struct ifreq ifr = {0};
+    strncpy(ifr.ifr_name, iface, IFNAMSIZ - 1);
+    if ((ioctl(raw_fd, SIOCGIFHWADDR, &ifr)) < 0) {
+        perror("ioctl()");
+        return -1;
+    }
+    memcpy(mac, ifr.ifr_hwaddr.sa_data, 6);
+    return 0;
+}

common/netutils.h

@@ -0,0 +1,7 @@
+#pragma once
+
+#include "utils.h"
+
+int open_raw_socket(const char* iface);
+
+int get_mac_address(const char* iface, const int raw_fd, char* mac);

common/pn_definitions.h

@@ -0,0 +1,26 @@
+#pragma once
+
+#include <inttypes.h>
+
+// Profinet related definitions, used by enclave, test app, remote simulation
+
+struct dcp_packet {
+    struct ether_header ether;
+    uint16_t frame_id;
+    uint8_t service_id;
+    uint8_t service_type;
+    uint32_t xid;
+    uint16_t response_delay;
+    uint16_t dcp_data_length;
+} __attribute__((packed));
+
+#define ETHER_TYPE_PROFINET 0x9288
+#define DCP_IDENTIFY_MULTICAST_REQUEST 0xfefe
+#define DCP_IDENTIFY_RESPONSE 0xfffe
+#define DCP_SERVICE_ID_IDENTIFY 5
+#define DCP_SERVICE_TYPE_REQUEST 0
+#define DCP_SERVICE_TYPE_RESPONSE 1
+
+#define DCP_DATA_LENGTH_REQUEST 4
+
+static const uint8_t pn_multicast[] = {0x01,0x0e,0xcf,0x00,0x00,0x00};

common/snmp_definitions.h

@@ -0,0 +1,44 @@
+#pragma once
+
+#include <inttypes.h>
+
+// snmp related definitions
+
+struct snmp_hdr {
+    uint8_t snmp_id;
+    uint8_t snmp_len;
+    uint8_t version_id;
+    uint8_t version_len;
+    uint8_t version;
+    uint8_t community_id;
+    uint8_t community_len;
+    uint8_t community[6];
+    uint8_t body_id;
+    uint8_t body_len;
+    uint8_t request_id_id;
+    uint8_t request_id_len;
+    uint32_t request_id;
+    uint8_t error_status_id;
+    uint8_t error_status_len;
+    uint8_t error_status;
+    uint8_t error_index_id;
+    uint8_t error_index_len;
+    uint8_t error_index;
+} __attribute__((packed));
+
+#define SNMP_SNMP_ID 0x30
+#define SNMP_VERSION_ID 0x02
+#define SNMP_COMMUNITY_ID 0x04
+#define SNMP_BODY_ID_GET_REQUEST 0xa0
+#define SNMP_BODY_ID_GET_NEXT_REQUEST 0xa1
+#define SNMP_BODY_ID_GET_RESPONSE 0xa2
+#define SNMP_REQUEST_ID_ID 0x02
+#define SNMP_ERROR_STATUS_ID 0x02
+#define SNMP_ERROR_INDEX_ID 0x02
+
+#define SNMP_PORT 161
+
+static const uint8_t snmp_community_public[] = "\x70\x75\x62\x6c\x69\x63";
+
+static const uint8_t snmp_fake_bindings_scalance_x200[] = "\x30\x0f\x30\x0d" \
+"\x06\x08\x2b\x06\x01\x02\x01\x01\x02\x00\x06\x01\x00";

common/tcp_definitions.h

@@ -0,0 +1,94 @@
+#pragma once
+
+#include <inttypes.h>
+#include <stdlib.h> // size_t
+#include <unistd.h> // ssize_t
+
+#define ETHER_TYPE_ARP 0x0608
+#define ETHER_TYPE_IPV4 0x0008
+#define IP_PROTO_TCP 0x06
+#define IP_PROTO_UDP 0x11
+
+// This ether_header is compatible with the Linux definition in <net/ethernet.h>
+struct ether_header
+{
+    uint8_t  ether_dhost[6];
+    uint8_t  ether_shost[6];
+    uint16_t ether_type;
+} __attribute__((packed));
+
+
+struct ip_header {
+    uint8_t ver_ihl;        // Version (4 bits) + Internet header length (4 bits)
+    uint8_t tos;            // Type of service
+    uint16_t tlen;            // Total length
+    uint16_t identification; // Identification
+    uint16_t flags_fo;        // Flags (3 bits) + Fragment offset (13 bits)
+    uint8_t ttl;            // Time to live
+    uint8_t proto;            // Protocol
+    uint16_t crc;            // Header checksum
+    uint32_t saddr;        // Source address
+    uint32_t daddr;        // Destination address
+    //uint32_t op_pad;            // Option + Padding
+} __attribute__((packed));
+
+
+struct tcp_header {
+    uint16_t source;
+    uint16_t dest;
+    uint32_t seq;
+    uint32_t ack_seq;
+    uint16_t res1 : 4,
+            doff : 4,
+            fin : 1,
+            syn : 1,
+            rst : 1,
+            psh : 1,
+            ack : 1,
+            urg : 1,
+            ece : 1,
+            cwr : 1;
+    uint16_t window;
+    uint16_t check;
+    uint16_t urg_ptr;
+} __attribute__((packed));
+
+struct tcp_packet {
+    struct ether_header ether;
+    struct ip_header ip;
+    struct tcp_header tcp;
+} __attribute__((packed));
+
+
+struct arp_packet {
+    struct ether_header ether;
+    uint16_t hw_type;           // hardware type
+    uint16_t proto_type;        // protocol type
+    uint8_t hw_size;            // hardware address len
+    uint8_t prot_size;          // protocol address len
+    uint16_t opcode;            // arp opcode
+    uint8_t mac_sender[6];
+    uint32_t ip_sender;
+    uint8_t mac_target[6];
+    uint32_t ip_target;
+} __attribute__((packed));
+
+
+struct ipv4_packet {
+    struct ether_header ether;
+    struct ip_header ip;
+} __attribute__((packed));
+
+
+struct udphdr {
+    uint16_t source;
+    uint16_t dest;
+    uint16_t len;
+    uint16_t check;
+} __attribute__((packed));
+
+struct udp_packet {
+    struct ether_header ether;
+    struct ip_header ip;
+    struct udphdr udp;
+} __attribute__((packed));